Untitled Deck Flashcards
(183 cards)
1
Q
Person resonsible for handling the technology elements of testing activities
A
Technical Contact
2
Q
party responsible for handling the project on the client’s end.
A
Primary Contact
This can usually be a CISO or other party responsible for the major decisions surrounding the penetration test.
3
Q
Detailed explanation of testing steps
A
Attack narrative
4
Q
what info is included in Scope section of PTES report?
A
pre-engagement defined scope of testing
5
Q
What section of the PTES report shows critical vuln, attack vectors successfully exploited, etc.?
A
Findings section
6
Q
Cost-benefit analysis is part of ___?
A
Client acceptance
7
Q
Windows - remove any keys or scheduled tasks from…?
A
HKLM and HKCU
8
Q
2 tools for Service enumeration
A
NETCAT AND WGET
9
Q
An attack surface analyser similar to Shodan
A
Censys
identify exposed systems
10
Q
2 tools to create malformed packets
A
Scapy
Hping3
11
Q
Open source Server scanner
A
Nikto
12
Q
Social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source?
A
Phishing
13
Q
When an attacker entices the victim into navigating to a malicious web page that has been set up to look official.
A
Pharming
14
Q
Social media site with short statements that promote products
A
15
Q
Website enumeration is part of what phase of the pentest process?
A
Reconn and footprinting
16
Q
Shodan is used to test…?
A
IoT devices - index devices
17
Q
Tool used to index IoT devices?
A
Shodan
18
Q
NSE
A
Nmap Scripting Engine - write custom logic with Lua
19
Q
Allows enumeration of automation across large IP ranges?
A
NSE
Nmap scripting engine with custom logic written in Lua
20
Q
Big picture document
A
MSA - used to cover recurring costs and unforseen charges.
21
Q
What we will do, when and for how much is in what document?
A
SOW
22
Q
Measurable targets - reason contract can be terminated is in what document?
A
SLA
23
Q
API testing is associated with …
A
Cloud
24
Q
Document includes reasons a contract can be terminated.
A
SLA
25
Over 6M customers
Level 1
26
Between 1-6M customers
Level 2
27
20K-1M customers
Level 3
28
under 20k customers
Level 4
29
Going outside scope of testing could result in...?
criminal charges
30
Computerized electronic patient recordds are referred to as...
e-PII
31
Layer 2 =
ARP poisoning
MAC address
32
Redirect traffic at Layer 2 to conduct on path attacks?
ARP poisoning - change MAC addresses
33
Network scan with no flags
NULL
34
Wireshark capture of Windows AD or Kerberos traffic, the username is the ...
CNAME - canonical name is the u/n to be authenticated
35
Signal strength of wireless antenna is referred to as
dBi
36
Measurement of wireless signal in relation to background noice
SNR
signal to noise ratio
37
Signal strength of wireless antenna is tested using
dBi
38
Tool for DNS reconn, reverse lookup, validate DNS records
Dig
domain info groper
39
Two tools that can craft fully customized DNS responses
Scapy
40
If a tester finds malware, they should
remove immediately
41
Smurf tests what protocol
ICMP
42
Fraggle tests what protocol
UDP
43
Tool to obtain FTP credentials
wireshark
44
nmap -sn or P0
ping scan only, no port scan
host discovery only
45
Can nmap be used on IoT devices
Yes to collect data
46
Gained access to a windows laptop, what is the command to maintain access?
crontab -l ....etc
47
Remove at conclusion of pentest?
created user accounts
syslog
48
FOCA
Fingerprinting orgnaizations with collected archives
metadata extraction from pdfs, docs, excel
can find hidden data
crawls public documents from websites
49
What does REsponder do?
Windows
intercept network authenticaion requests
credential harvesting and relay attacks in internal LAN
50
nmap -sA
ACK scan - used to map firewall rules
51
nmap open port means
open and service is listening
52
nmap port closed means
reachable but no service listening
53
nmap port filtered means
can't see if open or closed
firewall or packet filter dropped the probe
54
nmap port unfiltered means
accessible but cannot detect if open or closed
55
nmap -A includes:
Aggressive
OS, script scan, version and traceroute
VOST
56
nmap -F
Fast scan - checks ~100 commonly used ports
57
nmap command to trigger as few alarms and countermeasuers as possible
nmap -sT -vvv -O 192.168.1.2/24 -P0 (now known as -n)
| -ST uses TCP stack, which is an expected protocol
-P0 is depracted in fa
58
NTLM is vulnerable to
Pass the Hash
59
What is NTLM
NT LAN manager - challenge/reponse
Microsoft authentication protocol
60
Microsoft/Windows challenge/response authentication protocol
NTLM
NT LAN Manager
61
Captures network traffic passively
wireshark
62
Shodan
Searches publicly available data indexed from past-scans - no direct interact with target systems
63
Retina and NEssus
Active vuln scans
64
Burpe Suite
Actively interacts with web servers
65
Nikto
Actively scans web servers for vuln
66
Build custom DNS or TCP packets
Scapy
67
DDoS that abuses ICMP echo requests
Smurf
68
DDoS that sends spoofed UDP packets
Fraggle
69
RDP port #
3389
70
nmap -sS
nmap -sT
nmap -sU
Syn (stealth)
TCP
UDP
71
namp -sV
nmap -O
nmap -A
Version
OS
Aggressive - combines OS, Version, traceroute
72
nmap -Pn
no ping
treats all hosts as up
useful in firewall environment when ICMP is blocked
73
SQL ports
1433, 3306
74
HTTP and HTTPS ports
80, 443
75
Party that can be contacted in case of urgent matters
Emergency contact
76
Regular progress briefings with client
Status reports
77
Issues that imply a very high risk to the client's organization
Critical findings
The team should identify findings that are urgent enough to trigger special communications.
78
Artifacts that can provide evidence of a prior security event and could be from malicious sources.
Indicators of compromise
79
Catalyst for possible adjustments to the engagement
Goal reprioritization.
80
scale back on efforts if causing issues with client system is called
process of scaling back on teh intensity of testing activites
de-escalation
81
Process of providing situational awareness to key client personnel to resolve issues nad resume pentesting.
Deconflict
82
REsults validation is used to
identify false positives
83
PTES - how to assess and classify vuln
Vuln classification levels
84
Examples of PTES Report TECHNICAL Vulnerabilities
OSI Layer Vulns
Scanner Found
Manually identified
Overall exposure
85
PTES report LOGICAL vulnerabilities
NON-OSI Vuln
Type of Vuln
HOw/Where it was found
Exposure
86
87
This framework focuses on sharing details about the information gathering, useful exploits, and report findings.
Dradis framwork
88
_______ will likely be responsible for making desicions based on the results and recommandations of a pentest report.
C-Suite
89
Who is responsible for implementing recommendations made after the report of findings is submitted to the client?
Technical Staff
90
the ___ involves estimating the implications to the client's organization if a malicious actor were to target the issues identified during the test.
Business impact analysis
91
Refers to the amount and type of potential vuln and threats the organization is willing to tolerate.
92
Data points that the report shows contributed to the quantified vulnerability results.
Measures
93
Qantifiable measurements of the status of results or process, the report generally expresses them on a scale, exmple, from 1 to 10.
Metrics
94
Used to have continuous persistent acess to a linux system
daemon
95
gather credentials such as cleartesxt passwords, hashes and pin codes
Mimikatz
96
A PenTester wants to initiate persistence on a system. What are some options that the PenTester can use to do this? (Select all that apply.)
A.Backdoor
B.Reverse shells
C.Log in to the system
D.Run as a service
Backdoor
Reverse Shell
Run as a service (daemon)
97
a pentester is creating variants and combinations of word lists in an attempt to crack a user's password. What type of action is this?
Rule attack - make use of word lists to create variants and combinations and can then try trimming or expanding words or substituting numbers or special characters for letters.
98
A password cracking tool goes through a list of words until it either finds the password or exhausts the list
Dictionary attack
99
A PenTester is using a tool that allows the PenTester to pivot from one host to another exfiltrating files from each target to the PenTester's own host. What tool is the PenTester most likely using?
A.Registry
B.Netcat
C.RAT
D.Cron job
Netcat - allows the pentester to pivot from one host to another exfiltrating files from each target to the tester's own host.
100
RAT
Remote access tool used to create a back door or a remote access trojan
101
services that allows receipt of remote PowerShell commands
WinRM
102
directory where pentesters usually store optional tools on computer
/opt
103
10.0% complete
Question
A PenTester is using Python to write a script in preparation for a PenTest. What can the PenTester do to complete the script quickly as well as take advantage of work that others have already completed? (Select all that apply.)
A.Write each line of code from scratch
B.Use classes
C.Use modules
D.Use pre-built libraries
classes, modules and pre-built libraries.
104
Option that tells PowerShell not to load any particular profile
-nop
105
.NET can be used on..
Windows, Linux, MacOS
106
reverse engineering process of translating low level machine code into higher level assembly language code that is human readable
Disassembly
107
reverse engineering process of translating an executable into high-level source code to help determine whether the application's logic will produce unintended results.
Disassembly
108
A penetration tester has discovered that a remote access tool can open a shell on a Linux system without even authenticating.
rsh
109
option to tell Netcat not to perform DNS lookups for host names on the other end of the connection.
-n
110
A PenTester exclusively tests macOS systems and wants to use the command and control tool that will consistently provide the best results for that operating system.
Mythic
111
A threat actor has induced a user to authenticate their session with a pre-determined session ID (SID) which the threat actor also knows. The threat actor is now using this known SID to impersonate the user. What type of session attack is this?
Session fixation
This represents a session fixation attack which requires the user to authenticate with a known session identifier that the threat actor will then use for impersonation.
112
can automatically crawl through a repository looking for accidental commits of secrets that will allow an attacker to modify code in a Git repository.
trufflehog
113
Security risks to web applications are common. Which does the OWASP deem as the most critical? (Select all that apply.)
A.Insecure Data Transmission
B.Lack of Error Handling
C.Secure design
D.Lack of Code Signing
Insecure data transmission
lack of error handling
114
can discover subdomains, directories, and files by brute-forcing from a list of common names.
Gobuster
115
is a web application brute-force finder for directories and files that comes with nine different lists, including default directories and common names given by developers.
DirBuster
116
Technical vulnerabilities
OSI layer
Manually identified
117
Logical vulnerabilties
location of vulnerabilities
Non-OSI vulnerabilities
vulnerability type
118
Policy-based vulnerabilities
Password complexity requirements
119
Which contact person is responsible for handling the project on the client's end and is responsible for the major decisions surrounding the penetration test.
Primary contact
120
Technical - Scanner first (then verify by hand)
Logical - Always manual (no scanner will tell you "you can skp tesp 3" in a checkout
121
Acronym to remember techical vs logical:
TOM vs BLO
TOM = "Technical=OSI=Machine
BLO = "Business-Logic - Own it (attack the flow)
122
One Sentence Recall:
Technical - did the automatted scanner light up here? Great - its a known protocol or service issue.
Logical - can i break the app's rules or business steps by tampering with data or skipping pages? That's a logic flaw.
123
Putting it into PTES context
124
Nikto - web service vuln scanner
125
Nmap
Navigate the network map
Think of Nmap as your "network GPS", it maps everything out before you move in.
126
Netcat
Reads/writes raw TCP/UDP streams
Can banner grab, transfer files, open reverse/forward shellsd
127
Nessus Essentials
Automated vuln scanner
"need to know weak points"
128
OpenVAS
open-source version of nessus
open = open source
VAS -= vuln-scan
129
Nikto
Web-server scanner
"nicks away at web servers" -
nicks away at every HTTP path until it finds a weakness
130
Burpe suite
Web application testing
"web-app's doctor - inspects every request/response"
131
OWASP ZAP
Similar to Burpe Suite - free web-app proxy/scanner
scans for common web flaws (XSS, SQLI, insecure cookies"
ZAP - zap bad web bugs
132
sqlmap
mapts out SQL db's via injection
visualize a "map" of tables and data exposed through injection
133
Password cracking
John the Ripper
Hashcat
134
Mimikatz Windows
harvests credentials
extracts plaintext passwords & hashes
retrieves kerberos tickets
performs pass the hash
135
Recon
nmap, netcat, nessus/openvas
nmap - map
nikto - nick
136
secrets = trufflehog
crawl through a repository (Git)
137
XSRF
SSRF
between authorized user of a website and the website itself
between the server and the resources it can access, including itself
138
Session fixation
user authenticats with a known session identifier (SID) that the threat actor will then use for impersonation
139
command injection
input to the web server, which then passed this input to a system shell for execution
140
code injection
introduces malicious code into a vulnerable application
141
GoBuster
DirBuster
-Gobuster is a pure CLI tool (written in Go).
If the question says “which command-line tool…” or “run from a terminal,” that’s almost always Gobuster.
-DirBuster is a Java GUI application (part of OWASP).
If they mention a point-and-click interface or a Swing/Java window, that’s DirBuster.
142
MQTT
Message Query Telemetry Transport - carries messages between IoT devices but does not encrypt the data.
port 1883
143
BLE
Bluetooth low energy connection is common with many IoT devices used to communicate over short distances, uses less energy than Bluetooth.
144
Hyperjacking
when a malicious actor takes control of the hypervisor
Class 1 virtual environment attack
145
VM escape
where malware running in a VM is able to interact directly with the hypervisor
146
IIoT
Industrial Internet of things - compliment to SCADA and merges control functionality with data collecting ability of an IoT device
IIoT is a complement to a SCADA system as it merges the control functionality with the data collecting ability of an IoT device.
147
IoT devices can pass data in what basic ways?
Machine-to-machine (M2M)
Machine-to-person (M2P)
148
CoAP
Constrained Application Protocol
open-source protocol for IoT
uses UDP for IoT protocol
149
Top 2 IoT OWAS weaknesses
weak guessable or hardcoded passwords
Insecure network services
150
MQTT
open-source protocol for IoT
151
COAP - Coersive parsing attack
Coercive parsing attacks can attempt to exhaust system resources by exploiting protocol-specific vulnerabilities. For example, in CoAP, these attacks leverage malformed CoAP messages targeting resource-constrained implementations.
152
COAP IoT attacks
coersive parsing attack - exhaust system resources by exploiting protocol specific vulnerabilities
Spoofing - possible b/c uses UDP and UDP does not use a handshake - can get device to accept malicious code
Packet Amplification - attack where the malicious actor will search for a list of abusable IP addresses, then send a flood of UDP packets - teh flood of respones results in packet (and bandwidth) amplification.
153
MQTT attacks (IoT)
MQTT uses authenticaiton, but data is not encrypted
Sniffing - possible b/c data isnot encrypted
Data modificaiton - modify captured packet (integrity attack)
Shodan - joing a botnet - poison unsecured IoT devices using MQTT so they become part of a botnet. (attack on availability)
154
Shodan
passive recon
specialized search engine for internet-connected devices
crawls internet looking for live hosts, grabs banners and catalogs them by IP, port, protocols
Lets you discover devices and services without actively scanning the network
you can see which IPs are running open ports and what software versions they're exposing
Shodan - IoTd
155
ICS
An industrial control system (ICS) is any system that enables users to control industrial and critical infrastructure assets over a network.
156
SCADA
A Supervisory control and data acquisition (SCADA) system is a type of ICS that manages large-scale, multiple-site devices and equipment that are spread over geographically large areas from a host computer.
157
Intelligent platform management interface (IPMI).
This enables the admin to more easily monitor and control servers on a centrally located interface. When correctly configured, this restricts access so that only authorized individuals can access management functions. However, if the management interface is not correctly configured, this can expose the network, which can provide a malicious actor with the ability to have direct access to the data.
158
Postman
APIs
159
Frida hooks functions at runtime by injecting JScript into a live process, can intercept and modify behavior on the fly
in-process fuzzing is frida
160
Mobile Security Framework (MobSF)
can provide an automated evaluation of code and malware analysis using both static analysis and dynamic analysis.
161
COBO
Corporate owned/business only
162
Wiflite2
s a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a variety of attacks including Pixie attacks, PMKID cracking, and more.
163
Airmon-ng
will enable and disable monitor mode on a wireless interface. Airmon-ng can also switch an interface from managed mode to monitor mode.
164
Spooftooph
can either spoof or clone a Bluetooth device is Spooftooph. Keep in mind, before making any changes to a Bluetooth adapter, you must run Spooftooph with root privileges.
165
ScoutSuite
is an open-source tool written in Python that can be used to audit instances and policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud.
166
EAPHammer
is another Python-based toolkit with a wide range of features. It provides options that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in an easy-to-use platform.
167
WPA3
includes advanced features to secure wireless transmissions such as 192-bit encryption when using WPA3-Enterprise mode (used in business LANs).
168
create the appearance of many wireless networks
Mode b creates the appearance of many wireless networks. MDK4 is a powerful Linux based tool that features a wide range of attacks.
169
wireless mode a
In mode a authentication, DoS will send multiple authentication frames to WAP in range with the intent of overwhelming the AP.
170
wireless mode d
Mode d will send a deauth to disconnect and disassociate all clients from an AP. MDK4 supports 2.4 to 5GHz and has nine attack modules.
171
wireless mode w
Mode w will provoke an Intrusion Detection and Prevention Systems confusion attack. When testing with this tool use caution, as some of the attack modules can have a serious negative effect on the network.
172
BLE
Bluetooth Low Energy
173
Responder
MiTM type tool that can be used to exploit name resolution on a Windows network which poisons **LLMNR**.
Responder is also designed to intercept and poison **NBT-NS**. Once a request is intercepted, Responder will return the attacker's host IP as the name record.
174
PowerShell is an enumeration tool that uses cmdlets, which are a verb-noun pairing to achieve a task, such as Get-Help, and can enumerate information such as OS version, shares, files, services, Registry keys, and policies.
175
In a PaaS environment, multiple tenants often share underlying hardware (CPU, memory, cache, etc.). This multi-tenant, shared infrastructure makes PaaS specifically susceptible to side-channel attacks—where an attacker co-located on the same server can infer sensitive data (e.g., cryptographic keys) by measuring timing, cache usage, or other hardware-level “leakage.”
176
While there are many repositories available, the team can use the Exploit Database (Exploit DB) which provides a complete collection of public exploits and vulnerable software in a searchable database.
177
slowloris
fake web connections
178
An on-path attack is when a malicious actor sits in the middle or in the path of a connection.
179
timestomp
Changing time values is possible by using Metasploit's meterpreter tool called TimeStomp which allows you to delete or modify timestamp-related information on files.
TimeStomp is a tool inside of meterpreter which allows you to delete or modify timestamp-related information on files.
180
A penetration tester has established a foothold inside a network and wants to conduct reconnaissance inside while remaining anonymous. What could they use to best accomplish this?
A.SOCKS
B.masscan
C.Ostinato
D.Snow
Proxy servers are used on a network to mediate the communications between a client and another server. One method is to use Socket Secure (SOCKS).
181
182
183
